Are All Android Phones Vulnerable To A New Malware Attack?

A much-reported security flaw in Android allegedly renders "99 per cent of devices vulnerable" to malware attack. But before you panic and start disconnecting every Android device in sight from your corporate networks, a little investigation might be in order.

The claims

In a blog post, security consultant Bluebox revealed that earlier this year, it discovered a bug in Android that made it possible (in theory) to alter the code in a given Android APK (the file in which an application is packaged) in such a way that the alteration was not obvious to Android's built-in checking systems. Android uses a cryptographic signature to check that code hasn't been altered; Bluebox says the bug makes it possible to alter the code without this change being registered.

Bluebox hasn't issued a detailed description yet of how the vulnerability works; this will apparently be disclosed at the US Black Hat conference at the end of July. And that's a crucial point: the issue hasn't been spotted in the wild, and a detailed description of how to exploit the vulnerability has not been issued.

Bluebox says it notified Google of the issue in February and that patching of specific device versions of Android has commenced. It seems probable that the scheduled conference date means that patches for many newer phones will be available before that date; it's considered very bad form in security circles to disclose details of vulnerabilities without giving the software's developer a chance to patch the issue. Bluebox's own post notes:

It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question.

The complication for Android is that many older phones can't be upgraded without rooting the device, or simply can't be upgraded at all. Those devices are likely to remain vulnerable once details of the exploit are more widely known.

The issues

Crucially, altering an Android application can change its behaviour, but doesn't alter the permissions which it already has. If a given app doesn't have permission to access your camera, this hack won't change that.

The Bluebox blog post highlights that the major risk for most Android owners will occur if the custom apps added by many phone manufacturers are hacked. Those custom UIs typically have full system access, so the scope of malicious behaviour will be much broader. As Bluebox puts it: "Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed."

The big lesson here: devices running stock Android are at less risk (as well as being, for the most part, less annoying).

How to respond

While there is a lot of ill-informed panicked advice out there telling users not to install any non-Google apps for the time being, this is an overreaction. Users running Android security software which checks for suspicious behaviour (rather than solely relying on signatures) will be far less vulnerable, since those activities will be flagged by the software.

The issue highlights one of the oldest lessons in IT security: keep your devices patched and up-to-date. This is sensible for everyone, but essential in environments where phones are given access to potentially sensitive data.

Best practice for IT management dictates not just protecting apps, but encrypting data. Bluebox itself makes the point well: "IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data." If your workplace security policy consists of nothing more than telling people they are responsible for their own devices, your problems run a lot deeper than a newly-discovered vulnerability.

It's all well and good to say that devices should be patched and up to date, but because of the poor ongoing support by many or most manufacturers, this isn't really an option.
Perhaps it is time that the ACCC got involved in software support as well as hardware warranties for mobile phones...

Only logged in users may vote for comments!

Get Permalink

Trending Stories Right Now

Spring is nearly upon us, which means the return of the dreaded Magpie season. Those ruthless swooping demons are extremely aggressive during this time of year as they defend their nests with gusto around gardens, schoolyards and parks. So is it legal to kill one of these angry birds before it pecks an eye out?

The KFC Zinger Double Down King is an "all meat" burger comprising cheese, bacon and a beef patty sandwiched between two KFC breast fillets. In other words, it takes the OTT concept of the KFC Double and elevates it to ludicrous proportions.
Tragically, the Double Down King isn't available in Australia, but don't let that stop you from sampling its colon-clogging delights - as the following taste test demonstrates, it's possible to build your own. The results are spectacular... and probably a bit lethal.